In this article, we'll be setting up Squid Proxy [version 4.17] with ICAP. We will be configuring Squid to enable SSL, ICAP (echo mode) & use Squid to filter requests based on file type.
This setup is running on Ubuntu Server 20.04.
Prerequisites
Download the sources and copy them to your server.
$ sudo scp /dir/to/dowloaded/source linux@remote-server:/home/
In your server, run the following commands:
$ tar xzf squid-4.17.tar.gz $ cd squid-4.17/
Configure Squid Proxy
Update
$ sudo apt-get update && sudo apt-get -y upgrade
Install additional header packages
$ sudo apt-get -y install \ libcppunit-dev \ libsasl2-dev \ libxml2-dev \ libkrb5-dev \ libdb-dev \ libnetfilter-conntrack-dev \ libexpat1-dev \ libcap2-dev \ libldap2-dev \ libpam0g-dev \ libgnutls28-dev \ libssl-dev \ libdbi-perl \ libecap3 \ libecap3-dev \ libsystemd-dev
Compile your squid source to enable SSL and ICAP [Reference]
$ ./configure --prefix=/usr \ > --localstatedir=/var \ > --libexecdir=${prefix}/lib/squid \ > --datadir=${prefix}/share/squid \ > --sysconfdir=/etc/squid \ > --with-default-user=proxy \ > --with-logdir=/var/log/squid \ > --with-pidfile=/var/run/squid.pid \ > --with-default-user=proxy \ > --with-openssl \ > --enable-ssl-crtd \ > --enable-icap-client \ > --enable-ltdl-convenience $ sudo make $ sudo make install
Verify Squid Installation
$ squid -v
You should be able to see the following:
Navigate to Squid's logs & modify folder ownership
$ cd /var/log $ sudo chown -R proxy:proxy squid
Start squid & verify it running on the server
$ sudo squid $ sudo netstat -tulnp
You should be able to see the following
SSL Configuration In Squid [Reference]
Navigate to the Squid service folder & create a self-signed SSL certificate
$ cd /etc/squid $ sudo openssl req -new -newkey rsa:2048 -days <certificate validity period in days> -nodes -x509 -keyout squidCA.pem -out squidCA.pem
Fill in the fields of the self-signed SSL certificate.
Create a trusted certificate to be imported into a browser.
$ sudo openssl x509 -in squidCA.pem -outform DER -out squid.der
Import certificate file squid.der to client browsers.
Configure permissions to use the certificate file
$ sudo chown proxy:proxy squidCA.pem
$ sudo chmod 400 squidCA.pem
Create a folder for future certificates.
$ sudo mkdir -p /var/lib/squid $ sudo /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB $ sudo chown -R proxy:proxy /var/lib/squid
Add these lines to squid.conf file
$ sudo nano /etc/squid/squid.conf ctrl + w http_port [enter]
#http_port 3128 http_port 3128 ssl-bump cert=/etc/squid/squidCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all sslproxy_cert_error deny all
Reconfigure squid file. This command is to be run every time you modify your squid.conf file
$ sudo squid -k reconfigure
You can verify your setup by navigating into a website from your client browser and checking your self-assigned certificate by clicking on the lock in the address bar.
ICAP Configuration in Squid
Compile your ICAP source. In this case, only the echo service will be created.
$ sudo tar xvzf c_icap-0.5.10.tar.gz $ cd c_icap-0.5.10/ $ ./configure --prefix=/usr/local/c-icap --without-clamav $ sudo make $ sudo make install
Run ICAP
$ sudo /usr/local/c-icap/bin/c-icap
Test your ICAP setup with ICAP Client
$ /usr/local/c-icap/bin/c-icap-client
You should get:
Verify ICAP is running
$ sudo netstat -tulnp
You should see it running on port 1344
Add these lines to squid.conf file
$ sudo nano /etc/squid/squid.conf
icap_enable on adaptation_send_username on adaptation_send_client_ip on icap_service srv_resp respmod_precache 0 icap://127.0.0.1:1344/echo #icap_service srv_req reqmod_precache 0 icap://localhost:1344/echo adaptation_access srv_resp allow all #adaptation_access srv_req allow all icap_service_failure_limit -1 icap_preview_enable off
Filter Requests based on file type/extension
In this example, we use squid to filter upload and download to the ICAP based on whether the file type is PDF.
edit rule_name and content/type and add these lines to squid.conf file
for request mode
acl rule_name req_mime_type -i content/type http_access allow|deny rule_name
example:
acl pdf_upload req_mime_type -i application/pdf http_access allow pdf_upload
for response mode
acl rule_name rep_mime_type -i content/type http_reply_acces allow rule_name
example:
acl pdf_download rep_mime_type -i application/pdf http_access allow pdf_download
Content of squid.conf
Modify squid.conf and reconfigure squid
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl pdf_upload req_mime_type -i application/pdf acl pdf_download rep_mime_type -i application/pdf http_access allow pdf_upload http_access allow pdf_download http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager # ICAP Configuration icap_enable on adaptation_send_username on adaptation_send_client_ip on icap_service srv_resp respmod_precache 0 icap://127.0.0.1:1344/echo icap_service srv_req reqmod_precache 0 icap://127.0.0.1:1344/echo adaptation_access srv_resp allow pdf_download adaptation_access srv_req allow pdf_upload #adaptation_access srv_req allow all icap_service_failure_limit -1 http_access allow localhost http_access allow localnet http_access deny all #http_port 3128 http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squidCA.pem sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all sslproxy_cert_error deny all coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims refresh_pattern \/InRelease$ 0 0% 0 refresh-ims refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims refresh_pattern . 0 20% 4320 cache_mem 512 MB
$ sudo squid -k reconfigure
Testing it all together
Capture packets on the server while downloading a PDF from your client browser
$ sudo tcpdump -i lo -s 65535 -w icap.pcap port 1344 ctrl + c when download completed
Open .pcap file with Wireshark and apply content type filter
http.content_type == "application/pdf"
You should be able to see the following for your PDF download.
